The Department of Health and Human
Services has developed a series of privacy regulations known
collectively as the Health Insurance Portability and Accountability
Act of 1996 ("HIPAA"). These regulations are designed to protect
the privacy rights of individuals with regard to their confidential
medical records. The act greatly restricts the dissemination
and transmittal of personal patient information and will dramatically
affect the way healthcare information is handled.

Who do the HIPAA Regulations Apply to?

HIPAA regulations have been crafted
to have broad application. The provisions of the Act extend
to all health care plans, health care providers who transmit
health records in an electronic format, and health care clearinghouses
and billing companies. The bill refers to these organizations
as "Covered Entities". Ultimately, however, almost everyone
will be affected in one way or another by these regulations,
which will impact both consumers and providers of health care
services.

Are Medical Transcription Services Considered
"Covered Entities"?

Most Medical Transcription Services
and their employees are not considered "Covered Entities"
under the Act unless their organization also engages in services
that put them in the category of "Covered Entity". Medical
Transcription Services are typically regarded under the Act
as "Business Associates". The Act defines a Business Associate
as "any person or organization that performs a function or
activity on behalf of a Covered Entity, but is not part of
the Covered Entity's workforce (employees, volunteers, trainees
and others under the Covered Entity's direct control, regardless
of whether they are paid by the Covered Entity." Be aware
that state regulations may differ from national regulations
and certain States may define MT Services as Covered Entities.

As a Business Associate, a Medical
Transcription Service may not be directly governed by HIPAA
regulations. However, Business Associates are governed indirectly
by virtue of the fact that Covered Entities are required to
obtain written assurances from the Business Associates that
they deal with to ensure that patient identifying information
is appropriately safeguarded. These written assurances must
be included in a written contract between the Covered Entity
and the Business Associate.

Because of the strict requirements
of the Act relating to Covered Entities, Business Associates
can expect that the Covered Entities for whom they perform
services will be vigilant in requiring evidence of compliance
from their Business Associate partners. This will likely take
different forms from organization to organization. However,
MT Services should plan to understand and implement their
own action plans and oversight mechanisms to ensure that they
meet the requirements of the Act.

Medical transcriptionists who operate
as Independent Contractors to Medical Transcription Services
(Business Associates) and who have direct access to patient
health information are referred to by the Act as "Third Parties."
Third Parties must have a written contract with the Business
Associate for whom they provide contract services to assure
that patient information conveyed to them will be appropriately
safeguarded and that all electronic data transmissions between
the Third Party and the Business Associate are conducted in
accordance with the approved national standard. This contract
should be similar in nature and scope to the contract between
the Business Associate and the Covered Entity.

When does HIPAA Become Effective?

The rules became officially effective
on April 14, 2001. However, the Act provided for a period
of time before complete compliance was mandated. Small health
care plans, for example, had until April 14, 2004 to become
completely compliant. All other covered entities were required
to become fully compliant by April 14, 2003.

Does the Act Govern the Transmittal of
Electronic Patient Information?

The Act calls for the standardization
of electronic document transmittal. The national standard
which has been prescribed by HIPAA for electronic health record
transmittal is ANSI X12. This national standard governs both
the content and the format of patient information that is
sent electronically between two organizations.

What are the Other Key Provisions of the
Act?

The primary focus of the Act is
to restrict the dissemination of patient health care information.
The conditions under which information can be conveyed are
spelled out very explicitly. If the Act does not specifically
allow for health care information to be shared in a certain
manner or under a certain set of conditions, it is prohibited.

The rules specifically pertain to
health information that is transmitted or maintained in any
form (oral, paper, electronic, etc.) and which contains patient
identifying information. Patient identifying information includes
such things as name, address, social security number, phone
number, and any other information which could be used to identify
an individual.

In order to be compliant, covered
entities must implement measures to ensure that patient information
is protected in accordance with the provisions of the Act.
Specifically:

Written notification must be
given to individuals telling them how information will be
used and to whom it will be disseminated (insurance and
billing companies, or other health care practitioners, for
example).

Written consent must be obtained
from the individual allowing for the use and maintenance
of personal information as provided for by the Act.

Disclosure or use of information
for any other purpose or to any other organization requires
specific authorization from the individual.

Reasonable efforts must be made
by covered entities to minimize the dispersal of patient
information.

Health information can be conveyed
to Business Associates ("Business Associates" is a term
that typically includes Medical Transcription Service Providers
and their employees) only after written assurance is provided
to guarantee the protection of the information.

Privacy officials must be appointed
by each covered entity to develop, implement and oversee
privacy policy for the covered organization. A primary contact
person must also be designated to handle complaints and
inquiries about the organization's policy.

All employees of the covered
entity must receive formal training to ensure that they
understand the requirements of the privacy Act as they pertain
to their specific duties.

Covered entities must establish
adequate administrative, technical and physical safeguards
to ensure that all privacy requirements are upheld within
the organization.

What are the Penalties for Non-Compliance?

Covered entities which fail to comply
with the final regulations by the mandated compliance date
may incur stiff penalties, including the payment of a fine.
In certain cases, criminal charges may be brought against
the non-compliant entity.